Extracting Windows system Interactive Logon information to CSV file (Time, account name, IP address)

Short script to extract Interactive logon information from Windows security event log and save it to CSV file. Empirically i fond a filter which show both console logons and logons via RDP. In third column it displays remote IP address for RDP logons and 127.0.0.1 for console logons.

As it works with Security log – have to be run in elevated (runa as administrator) console.

I have tested it on Windows Server 2012, 2022 and Windows 10. This program is supplied as PoC, without any warranties, use it on your own risk.

It should be run locally on server where we would like to extract information. Upon completion it creates filename of yyyyMMdd_servername_InteractiveLogons.csv format in the same folder where script is run from.

Leave a Reply

Your email address will not be published. Required fields are marked *